.Aesir file extension virus becomes part of Locky ransomware family

It seems that Locky ransomware's authors entitle new viruses after names of Norse gods. The latest ransomware example is dubbed as .Aesir file extension virus. According to Norse mythology, Æsir is the principal of gods of the pantheon: examples include Thor, Odin, Loki (Locky), and Heimdall. The new version targets around 456 different file types, and again uses a combination of AES-1024 and RSA-2048 to render personal files useless. This ransomware kin has proved that its has been created by high-skilled programmers who definitely know how to manipulate complex obfuscation layers to successfully deliver ransomware to target computers and encrypt all files there.

What’s new in Aesir virus project is that it uses a different C2 server (,, or and drops a differently titled ransomware note - _[set of chars]-INSTRUCTION.html. When encrypting the data, the virus appends gets rid of the original filename and replaces it with a certain set of chars, and also adds .aesir file extension instead of the original one. As soon as it encrypts all files, virus develops a .html file (the ransom note), and saves a copy of it to every folder with encrypted data, including Desktop to deliver information about possible decryption options. The ransom note launches via user’s default web browser and displays the classic Locky’s "! ! ! IMPORTANT INFORMATION ! ! !" message, which provides links to Wikipedia’s articles about RSA and AES cryptographic systems, also ones leading to personal ransom-payment site, and instructions on how to download Tor browser, which helps to access them. Finally, Aesir ransomware virus replaces the desktop image with a black picture featuring text provided in the ransom note.

.Aesir ransomware encodes with with unbreakable encryption, and once files are locked, they’re lost. The criminals working behind this cyber extortion project want victims to pay ransoms in order to receive software that is built based on a secret decryption code that is the only key to data recovery. There is no way to find out this code without criminals’ help, and we can assure you that these scams do not intend to negotiate. They ask to buy certain amount of Bitcoins and send them to their Bitcoin waller to get the Locky decryptor. Instead of taking your hardly-earned money and giving them away to criminals, think whether it’s worth it. You should also take into account the fact that 20% of all ransomware victims who paid the ransom never got their files back because criminals simply refused to provide them with decryption software. You must understand that scammers only care about the money, not about your well-being. Therefore, you should keep your money to yourself and remove .Aesir virus without a doubt.

aesir ransomware virus

Distribution tricks

Our analysis shows that .Aesir file extension virus is currently being distributed using new tactics. Recently, we discovered that Nemucod Trojan downloader is currently being distributed via Facebook spam campaign that delivers the bogus photo to victims. The infectious message contains an attachment that is titled as Photo_[4 random numbers].svg. More experienced computer users might quickly notice that the file extension differs from standard image formats (such as JPG, JPEG or PNG) and might refrain themselves from clicking on it. SVG is an XML-based vector image format, which is capable of carrying a JavaScript code. Once the victim clicks on such file, it redirects him/her to a phishing website that looks like Youtube. Here, crooks use the good old "install an extension to view the video" technique to trick the user to install a malicious piece of software. As soon as the victim install the extension, the virus gets access to victim’s Facebook account and uses it for Aesir proliferation - it sends out messages containing Locky’s newest version to all victim’s friends. At the same time, the malicious extension installs Nemucod, which later on downloads and executes Aesir malware.

Obviously, smaller part of Locky’s group of scams still distributes the virus via malicious email spam campaigns, and in this case, they send out electronic letters featuring "Your order has dispatched #[random numbers]" titles. Victims reportedly receive emails from fake email accounts such as This email address is being protected from spambots. You need JavaScript enabled to view it. or This email address is being protected from spambots. You need JavaScript enabled to view it..">This email address is being protected from spambots. You need JavaScript enabled to view it.. The letter carries a .zip attachment, which should not be opened in any case! It delivers a destructive payload that can take away all personal files away for good.

How to remove .Aesir file extension virus and restore encrypted files?

.Aesir file extension virus is not one of those mid-level malware examples that are complex but in one or another case decryptable. Frauds who code this virus know what they’re doing and why they’re doing, and they shamelessly attack innocent computer users who surf the world wide web without expecting to encounter anything bad there. We suggest you remove .Aesir file extension virus as soon as you can along with Nemucod and other malware. For that, employ Reimage. Run the PC in a Safe Mode with Networking first because the malicious program might block your anti-malware tool so that you couldn’t use it against it.

News Courtesy :